Security Flaw Found in Explorer

[InfoSec News <isn () c4i org>]

http://www.lasvegassun.com/sunbin/stories/tech/2002/jun/04/060408242.html

June 04, 2002 

REDMOND, Wash. - A security flaw in Microsoft's Internet Explorer
browser could allow a hacker to take control of a remote computer if
its user clicks a link to an outdated Internet protocol, a computer
security firm says.

Oy Online Solutions Ltd. of Finland said it notified Microsoft Corp.  
of the security hole on May 20 but the software giant has yet to
produce a software patch to fix the problem, the Toronto Star reported
Tuesday.

A Microsoft spokesman who refused to be identified said Tuesday that
the company is "moving forward on the investigation with all due
speed" and will take the action that best serves its customers.

The problem concerns Gopher, an Internet protocol that predates the
World Wide Web with pages like Web pages except that they are unable
to store audio and video content.

Although Gopher is considered an outdated format for Internet content,
it is still supported by Internet Explorer and most other browsers.

According to Oy Online, a hacker could take over a user's computer
simply by having the user click on a link to a "hostile Gopher site."  
That one click would install and run any program the hacker chose on
the victim's computer, and the victim might never know.

"The program could, for example, delete information from the computer
or collect information and send it out from the computer," Oy Online
said in a release. "(It) could also install a so-called backdoor
(program) that would enable the hostile attacker to access the
computer later."

All versions of Internet Explorer are believed to be vulnerable, the
Star reported.

Refusing to confirm the security flaw, the Microsoft spokesman said
the company "feel(s) strongly that speculating on the issue while the
investigation is in progress would be irresponsible and
counterproductive to our goal of protecting our customers'
information."

And the spokesman added, "Responsible security researchers work with
the vendor of a suspected vulnerability issue to ensure that
countermeasures are developed before the issue is made public and
customers are needlessly put at risk."

After being embarrassed on an almost regular basis by security flaws
in its products - including a debilitating problem found in its latest
Windows XP operating system just days after its release - Microsoft
began a companywide training program on security issues earlier this
year.

In January, Microsoft Chairman Bill Gates instructed employees to make
software security a top priority.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.